Brigade 2.3.0

Happy Valentine’s Day, Brigadiers! ❤️

Today, we’re excited to announce our feature-packed v2.3.0 release! Complete details are available in the release notes, of course, but since the latest episode of our “Brigade in Five Minutes” series focused on authentication using third-party identity providers, and because we anticipate the next episode covering management of user permissions, now seems like an appropriate time to turn the spotlight on a specific new feature that streamlines that process.

Beginning with Brigade v2.3.0, if you leverage a third-party identity provider like GitHub or an Azure Active Directory tenant to authenticate your users, there is now an option to automatically grant users global, read-only permissions the first time they authenticate. This can be a tremendous convenience for Brigade administrators that already have a good handle on who can successfully authenticate and don’t want to be burdened with continuously fielding access requests.

This snippet from the values.yaml file used with helm install to deploy the Brigade team’s own Brigade instance illustrates:

## ...

## All settings for the API server

  ## ...

  ## Options for authenticating via a third-party authentication provider.
    ## Valid values are "oidc" (for OpenID Connect), "github" (for OAuth2 with
    ## GitHub as the identity provider), or "disabled"
    strategy: github
    ## ...
      ## The API server uses the client ID and client secret to authenticate
      ## itself to GitHub.
      clientID: *** REDACTED ***
      clientSecret: *** REDACTED ***
      ## GitHub lacks the sophisticated access controls available in identity
      ## platforms like Google Identity Platform and Azure Active Directory--
      ## controls that could be used to limit who can successfully authenticate
      ## to Brigade. Given this, allowedOrganizations below can be used to
      ## enumerate the GitHub organizations whose members are permitted to
      ## authenticate to Brigade. If this list is left commented or empty,
      ## access will not be restricted by organization.
      - brigadecore
    ## ...
    ## Optionally grant global, read-only permissions to all users the first
    ## time they authenticate. Note that even with global read permissions,
    ## access to logs still requires the PROJECT_USER for the applicable
    ## project.
    grantReadOnInitialLogin: true

Above, you can see that we’ve enabled users to authenticate via GitHub, but per the apiserver.thirdPartyAuth.github.allowedOrganizations, only members of the brigadecore GitHub organization can do so successfully. Since membership in that organization is well-controlled and we’re comfortable with all members of that organization being granted at least read-only permissions, we’ve set apiserver.thirdPartyAuth.grantReadOnInitialLogin to a value of true (false is the default).

⚠️ Note that the permissions are granted the first time a user authenticates, so permissions for users who have previously logged in are entirely unaffected by this option.

Happy scripting, everyone! And until next time, remember you can always find the maintainers on the #brigade channel on the Kubernetes Slack if you have questions or need help getting started!